The following policy, standards, and guidelines are provided to assist state agencies in compliance with current incident response and reporting requirements, to establish and maintain internal incident management functions.

Incident Management Reporting

Incident Reporting

State policy requires agencies to follow a prescribed process when information security incidents occur. Typically, it is each agency’s Information Security Officer’s (ISO) responsibility to notify the proper authorities. The prescribed process includes the following steps:

1. Reporting Incident through the California Compliance and Security Incident Reporting System (Cal-CSIRS)

State policy requires state entities to make notification to the California Office of Information Security (OIS) and the California Highway Patrol (CHP) immediately following discovery of an incident. Each state entity’s Chief Information Officer (CIO), Information Security Officer (ISO), or the assigned incident reporting personnel (as designated on the Cal-CSIRS Designee Request Form (XLSX)), collectively hereinafter referred to as authorized California Compliance and Security Incident Reporting System (Cal-CSIRS) user, is responsible for notifying the proper authorities.

Immediately report the incident through the Cal-CSIRS. Cal-CSIRS will require specific information about the incident and will notify the OIS and the CHP Computer Crimes Investigation Unit (CCIU). A system generated e-mail confirmation will be sent to the authorized Cal-CSIRS users acknowledging the OIS and CCIU have received the Cal-CSIRS notification.

IMPORTANT: Incident notification made to CHP or our Office outside of the Cal-CSIRS notification process by email or other means is NOT an acceptable substitute for the required notification through Cal-CSIRS.

Any actions at and following the time of discovery that were taken prior to reporting incident on Cal-CSIRS.

The ISO should attempt to gather the following additional information before reporting incident about incidents involving computer-related theft or crime:

Make / model of the affected computer(s).

Serial and state asset identification numbers of affected devices.

IP address of the affected computer(s).

Assigned name of the affected computer(s).

Operating system of the affected computer(s).

Location of the affected computer(s).

IMPORTANT: Reporting should NOT be delayed until all of this information is gathered. It is understood that in some circumstances this information may not always be readily available when first reported to the ISO. Therefore the ISO should make the report to ENTAC providing as much information as possible at the time of receiving the report.

3. Personally Identifiable Information

During this reporting process, it is also important to report if the incident involves personally identifiable information, such as breach notice-triggering personal information as defined in California Civil Code Section 1798.29.

Effective January 1, 2016, California’s Civil Codes 1798.29 and 1798.82 were amended to require breach notifications to be provided in a specific format and include certain content. Security Breach Reporting and Notification Templates are provided on the Resources page. Policy requires state entities to submit any breach notification to the Office of Information Security for review and approval prior to its release.

Further, Civil Code Section 1798.29 (e) requires any state entity that is required to issue a security breach notification to more than 500 California residents, as a result of a single breach, to electronically submit a sample copy of the breach notification, excluding any personally identifiable information, to the Attorney General. The Attorney General’s procedures for sample submission are available on its website. See SIMM 5340-C (PDF) for instructions and process.

4. Emergency Assistance Outside of Normal Business Hours

In the case that the Cal-CSIRS system is offline during normal business hours, contact OIS directly by phone at (916) 445-5239 or by e-mail at security@state.ca.gov for assistance. If the Cal-CSIRS system is offline outside of normal business hours and you require immediate law enforcement assistance, contact CHP’s Emergency Notification and Tactical Alert Center (ENTAC) at (916) 843-4199. This telephone number is staffed 24-hours a day, seven days a week. The officers at ENTAC will forward that information to CCIU for immediate assistance. In the situation that notification is made outside of normal business hours through CHP, it is the state entity’s responsibility to notify OIS of the incident the next business day.

5. Additional Information and Forms

Depending upon the nature of the incident and the assets affected by the incidents, the entity may be required to submit the following additional written reports to other state entities:

Risk Management

State Administrative Manual (SAM)

The SAM is a central point for statewide policies, procedures, regulations and information developed and issued by authoring agencies such as this Office, the Department of Finance (Finance), Department of General Services (DGS), and Governor’s Office. The following SAM policies directly relate to operational recovery and business continuity.As announced in Management Memo (MM) 08-02 (PDF), the policy sections related to information security and privacy have been restructured and renumbered effective February 19, 2008. No policies were changed through MM 08-02 or this restructure.

Statewide Information Management Manual (SIMM)

The signed Certification acknowledges that each agency is in compliance with state policy governing risk management and privacy requirements as defined in SAM Section 5305.2 (PDF), Government Code Section 11019.9, and the Information Practices Act (Civil Code Section 1798 et seq.). It is due to the California Office of Information Security by January 31st of each year.

Each state entity is responsible for establishing an Information Security Program to effectively manage risk. The state entity’s information security program shall incorporate an Information Security Program Plan (ISPP) to provide for the proper use and protection of its information assets, this is to include a Plan of Action and Milestones (POAM) process for addressing information security program deficiencies.

Risk Management Resources

These are tools for agencies to use in identifying information security risks and to help mitigate the issues.

Risk Assessment Toolkit

These are tools for agencies to use in identifying information security risks and to help mitigate the issues.

As outlined in the State Administrative Manual (SAM) Section 5305 et seq (PDF)., risk management is the process of taking actions to avoid or reduce risk to acceptable levels. This process includes both the identification and assessment of risk through risk analysis (SAM Section 5305.1) and the initiation and monitoring of appropriate practices in response to that analysis through the agency’s risk management program.

Risk assessment is a critical component of that process to ensure state agencies have an effective risk management plan in place as defined in the SAM Sections 5305 et seq. Although the following tools are available for agencies to use in identifying information security risks and helping to mitigate the issues, it may be difficult for an agency to determine where to start with a risk assessment or which tool might be the best tool to use. Guidance for implementing a suggested strategy for a successful information security program and conducting an effective risk assessment can be found in the Information Security Program Guide for State Agencies.

The California Office of Information Security (Office) web site contains links to other sites that are not owned or controlled by us. The information provided at these sites does not reflect the views of this Office or indicate an endorsement of a particular company or product. Please be aware that our Office is not responsible for the security and privacy practices of such other sites.

This simple checklist provides a high-level view of common security practices. It is not intended to cover all of the steps agencies must take to complete the annual risk certification process. However, it may be useful as part of a periodic risk analysis or for a targeted review of security practices in specific areas. General instructions for its use are included in the Checklist’s Introduction section. Its targeted audience is generally focused towards executive management to use as a basic tool for risk assessment.

A comprehensive risk assessment checklist developed by the SANS (SysAdmin, Audit, Network, Security) Institute and based upon the International Organization for Standardization (ISO) 17799:2005 standards for an information security program. This checklist does not provide vendor specific security considerations but rather attempts to provide a generic checklist of security considerations to be used when auditing an organization’s Information Technology Security. Its targeted audience is generally focused towards a team approach, which might include members from the agency’s business and program areas, information technology, human resources, and the agency’s Information Security Officer.

HIPAA requires every organization that maintains or transmits personal health information to take specific steps to comply with regulations in the areas of privacy, technology, security, and transaction coding. The California Office of Health Information Integrity (CalOHII) has provided the following HIPAA Security Compliance Review Tool to help agencies determine their level of compliance with the Final Security Rule.

The Payment Card Industry (PCI) Data Security Standard (DSS) is the set of security and compliance monitoring requirements every organization must follow in order to protect cardholder data and accept payment cards for the reimbursement of fees and services. The following tools are available to assist agencies with meeting these requirements:
This Questionnaire is an important validation tool that is primarily used by smaller merchants and service providers to demonstrate compliance with the PCI DSS.

It is important to document the results of the risk assessment in the form of a report that can be given to the agency’s executive management. This sample report provides a template for a brief overview, the problems identified, and the recommendations for corrections or mitigation. Consider using this format for reporting your findings and recommendations to your executive management.

The Nationwide Cyber Security Review (NCSR) is a voluntary self-assessment survey designed to evaluate cyber security management. The NCSR will provide participants with instructions and guidance, supplemental documentation, and the ability to contact the NCSR help desk directly from the survey. The survey is available October 1, to coincide with National Cyber Security Awareness Month, and closes on November 30.

Once complete, participants will have immediate access to an individualized report that measures the level of adoption of security controls within their organization and includes recommendations on how to raise the organization’s risk awareness. In alternate years only (odd numbered years) the MS-ISAC and DHS will aggregate all review data and share a high level summary with all participants. The names of participants and their organizations will not be identified in this report. This report is provided to Congress in alternate years (odd numbered years) to highlight cybersecurity gaps and capabilities among our State, Local, Territorial and Tribal Governments.

Technology Recovery Program

State Administrative Manual (SAM)

The SAM is a central point for statewide policies, procedures, regulations and information developed and issued by authoring agencies such as this Office, the Department of Finance (Finance), Department of General Services (DGS), and Governor’s Office. The following SAM policies directly relate to technology recovery and business continuity requirements.

Unless otherwise directed, each state Agency/entity shall provide quarterly updates on progress toward completion of the plans. Quarterly due dates are on the last business day of January, April, July, and October.

Upon arrival, please go to the 2nd floor security desk (Suite 200). The security desk staff will contact someone from our office to pick up your materials. Note: If you choose to mail in the TRP, be sure to confirm delivery with your selected courier service prior to sending, contracted Delivery/Courier Services may not deliver to the PO Box or to the physical address.

OIS Foundational Framework

State Administrative Manual (SAM) 5300

The State Administrative Manual (SAM) is a central point for statewide policies, procedures, regulations and information developed and issued by authoring agencies such as this Office, the Department of Finance (Finance), Department of General Services (DGS), and Governor’s Office. A searchable copy of the document is available by clicking on State Administrative Manual (SAM).